Wpp
Wpp4h ago
New

Product, Application and Offensive Security Lead

United Kingdonlead
OtherApplication
0 views0 saves0 applied

Quick Summary

Key Responsibilities

Reviewing product designs, technical designs, APIs, services, and integrations. Identifying security weaknesses in applications, workflows, and data flows.

Requirements Summary

Hands-on application and product security support across DTS. Secure SDLC guidance and practical adoption. Threat modelling and security design reviews. API, integration,

Technical Tools
OtherApplication

The Product, Application and Offensive Security Lead is responsible for embedding security directly into the design, development, testing, and operation of DTS products and platforms.

This is a hands-on security engineering role. The role requires someone who can work directly with product and engineering teams, review designs, assess APIs, run threat models, test systems, coordinate penetration testing, identify vulnerabilities, and help teams remediate issues.

The role ensures DTS products, APIs, data collaboration capabilities, AI-enabled workflows, and client-facing services are designed, built, and tested securely. It also owns the practical offensive security and adversarial assurance activity needed to test DTS products from an attacker’s perspective.

The Product, Application and Offensive Security Lead will work closely with Product, Engineering, Architecture, Infrastructure, Security Operations, Privacy, Cloud and Platform Security, and the ISMS and Risk Officer to ensure security issues are identified early, fixed effectively, and tracked through governance where required.


Responsibilities

~1 min read

Provide hands-on security support across DTS products and engineering teams. This includes:

  • Reviewing product designs, technical designs, APIs, services, and integrations.
  • Identifying security weaknesses in applications, workflows, and data flows.
  • Advising engineering teams on secure implementation.
  • Supporting secure design decisions during product discovery and delivery.
  • Helping teams resolve security issues pragmatically without creating unnecessary delivery friction.

Embed security into the software development lifecycle across DTS. This includes:

  • Defining and applying secure engineering standards.
  • Supporting secure coding practices.
  • Reviewing CI/CD security controls.
  • Supporting SAST, DAST, SCA, secrets scanning, dependency scanning, and container scanning.
  • Helping teams triage, prioritise, and remediate security findings.
  • Working with engineering teams to make security checks practical and repeatable.

Run threat modelling and security design reviews for new and changed capabilities. This includes:

  • Facilitating threat modelling sessions with engineering and product teams.
  • Reviewing authentication and authorization designs.
  • Assessing API exposure, data flows, trust boundaries, and abuse cases.
  • Identifying risks around tenant isolation, privilege escalation, data leakage, and misuse.
  • Documenting key findings, recommendations, and residual risks.

Carry out and coordinate offensive security testing across DTS products and platforms. This includes:

  • Performing hands-on security testing of products, APIs, and workflows.
  • Coordinating external penetration tests.
  • Supporting red team and purple team exercises where required.
  • Testing abuse cases and attacker paths.
  • Testing access control, authentication, authorization, and data leakage risks.
  • Validating remediation of security findings.
  • Feeding material risks into the ISMS and Risk Officer for tracking.

Provide security assurance for APIs, integrations, and data products. This includes:

  • Reviewing externally exposed APIs and partner integrations.
  • Assessing rate limiting, authorization, tenant isolation, logging, abuse prevention, and data leakage controls.
  • Supporting secure integration between InfoSum, Open Intelligence, Resolve, WPP Open, and third-party platforms.
  • Reviewing data product workflows for misuse, excessive access, or unintended exposure.
  • Working with Privacy Engineering on privacy-sensitive APIs, algorithms, and outputs.

Provide hands-on security review and adversarial testing for AI-enabled and agentic capabilities. This includes:

  • Testing prompt injection, tool misuse, data leakage, and excessive agency.
  • Reviewing how agents access APIs, data, tools, and workflows.
  • Testing whether agent permissions can be bypassed or escalated.
  • Assessing action boundaries and human approval points.
  • Working with Identity, AI, and Data Access Governance to validate agent access models.
  • Documenting AI and agentic security risks and remediation actions.

Help teams understand, prioritise, and fix security vulnerabilities. This includes:

  • Reviewing vulnerability findings from scans, penetration tests, code reviews, cloud tools, and external reports.
  • Prioritising findings based on exploitability, exposure, data sensitivity, and business impact.
  • Working directly with engineers to define remediation options.
  • Validating that fixes are effective.
  • Supporting exception and risk acceptance decisions where remediation is delayed.
  • Ensuring significant issues are visible through the DTS risk process.

Act as a practical security partner to engineering teams. This includes:

  • Providing secure implementation guidance.
  • Creating lightweight security patterns and examples.
  • Coaching engineers on common application, API, and AI security risks.
  • Helping teams understand the “why” behind security requirements.
  • Supporting a culture where security is part of product quality, not a separate approval gate.

The Product, Application and Offensive Security Lead will be accountable for:

  • Hands-on application and product security support across DTS.
  • Secure SDLC guidance and practical adoption.
  • Threat modelling and security design reviews.
  • API, integration, and data product security reviews.
  • Offensive security and adversarial testing activity.
  • AI and agentic security testing.
  • Vulnerability triage, remediation guidance, and fix validation.
  • Coordination with ISMS/Risk to ensure material risks and exceptions are tracked.
  • Helping engineering teams build secure systems without unnecessary delivery drag.

Requirements

~1 min read

The successful candidate will have:

  • Strong hands-on experience in application security, product security, offensive security, security engineering, or penetration testing.
  • Good understanding of modern software engineering, APIs, SaaS platforms, distributed systems, and cloud-native applications.
  • Experience with threat modelling and secure design reviews.
  • Practical knowledge of common application and API security risks, including authentication, authorization, tenant isolation, injection, data leakage, privilege escalation, and supply chain risk.
  • Experience using security testing tools and techniques across web applications, APIs, cloud services, and CI/CD pipelines.
  • Familiarity with SAST, DAST, SCA, secrets scanning, dependency scanning, and vulnerability management workflows.
  • Experience working directly with engineers to remediate findings.
  • Understanding of AI and agentic security risks would be highly valuable.
  • Ability to communicate clearly with engineering, product, architecture, security, and leadership stakeholders.
  • A pragmatic, delivery-aware approach to security.

The Product, Application and Offensive Security Lead is expected to:

  • Be hands-on and technically credible with engineering teams.
  • Act as a trusted security partner, not just a reviewer or approver.
  • Challenge insecure designs constructively.
  • Help teams find practical ways to reduce risk.
  • Prioritise issues based on real-world exploitability and business impact.
  • Work across multiple DTS product areas without becoming a delivery bottleneck.
  • Escalate material risks clearly through the appropriate governance routes.
  • Promote secure engineering habits through practical guidance and example.

Success in the role will be measured by:

  • Security being embedded earlier in product and engineering delivery.
  • Reduction in high-risk application, API, and product vulnerabilities.
  • Regular threat modelling and security reviews for critical DTS capabilities.
  • Effective offensive and adversarial testing of products, APIs, and workflows.
  • Faster remediation of penetration test and security testing findings.
  • Improved security assurance for AI and agentic workflows.
  • Engineering teams receiving practical, actionable security guidance.
  • Material security risks being surfaced and tracked through the DTS risk process.
  • Security being viewed by engineering teams as an enabler of trusted delivery rather than a blocker.

What We Offer

~1 min read

Location & Eligibility

Where is the job
United Kingdon
On-site at the office
Who can apply
Same as job location

Listing Details

Posted
July 3, 2026
First seen
July 3, 2026
Last seen
July 3, 2026

Posting Health

Days active
0
Repost count
0
Trust Level
67%
Scored at
July 3, 2026

Signal breakdown

freshnesssource trustcontent trustemployer trust
Wpp
Wpp
greenhouse
Employees
10,000+
Founded
1985
Domain
wpp.com
View company profile
Newsletter

Stay ahead of the market

Get the latest job openings, salary trends, and hiring insights delivered to your inbox every week.

A
B
C
D
Join 12,000+ marketers

No spam. Unsubscribe at any time.

WppProduct, Application and Offensive Security Lead